b'February 20, 2009\n\nGEORGE W. WRIGHT\nVICE PRESIDENT, INFORMATION TECHNOLOGY OPERATIONS\n\nSUBJECT: Audit Report \xe2\x80\x93 Access Controls in the Enterprise Data Warehouse\n         (Report Number IS-AR-09-004)\n\nThis report presents the results of our audit of access controls in the Enterprise Data\nWarehouse (EDW) (Project Number 08RG027IS000). The report is the result of a self-\ninitiated audit, which addresses operational risk. See Appendix A for additional\ninformation about this audit.\n\nConclusion\n\nOverall, we believe the U.S. Postal Service has been diligent in its efforts to secure\nsensitive information stored in EDW from inappropriate access. However, management\nneeds to strengthen access controls governing contractors who are nonstandard users\nof the system, update the Business Impact Assessment (BIA), recertify EDW, and\nsimplify how EDW managers assign and maintain access rights.\n\nContractor Access to Enterprise Data Warehouse\n\nAccess controls are not adequate for EDW nonstandard users1 who are contractors.\nOur analysis showed that for 90 out of 107 contractors (84 percent), their justifications\nfor continued access to EDW listed on Postal Service (PS) Forms 1357, Request for\nComputer Access, referenced contracts that had expired. Further, we found that 72 of\nthe 90 contractors (80 percent) with expired contracts listed had logged into EDW after\ntheir contract expiration date. We contacted several of these contractors and\ndetermined they were working on other Postal Service contracts. However, their\nsupporting documentation did not reflect that information, and we could not determine\nwhether their work on these contracts justified their continuing access to EDW.\n\nThis occurred because the Postal Service does not track contractors\xe2\x80\x99 access to the\nEDW application or their contract expiration date. In addition, the Postal Service\n\n\n\n1\n  Nonstandard users of EDW have access to the actual data in the system, unlike standard users, who can view only\nthe reports generated from EDW but cannot access the actual data.\n\x0cAccess Controls in the Enterprise Data Warehouse                                                       IS-AR-09-004\n\n\n\nelected not to use eAccess2 as a tracking mechanism. EDW managers said they had\nnot used eAccess for nonstandard users in the past because eAccess did not provide\nthe additional levels of approval they thought were necessary. Requests for\nnonstandard access to EDW through eAccess should require additional levels of\napproval, much like the current process for approving PS Forms 1357. Managers\nindicated that if eAccess provided the option of selecting nonstandard access, rather\nthan standard access only, they would prefer to use eAccess. Postal Service policy3\nrequires managers to revoke access to information when an employee no longer\nrequires it. Managers\xe2\x80\x99 not revoking a contractor\xe2\x80\x99s access when a contract expires could\nresult in unauthorized individuals having access to sensitive EDW information.\n\nWe recommend the Vice President, Information Technology Operations, direct the\nManager, Business Data Management, to:\n\n1. Set expiration dates for contractors\xe2\x80\x99 access on or before the expiration date of the\n   contracts they use to justify their access to the Enterprise Data Warehouse.\n\n2. Use eAccess to request and approve access for nonstandard users of the Enterprise\n   Data Warehouse, and update eAccess to enable the requestor to select standard or\n   nonstandard access.\n\nEnterprise Data Warehouse Recertification\n\nInformation in the EDW BIA is not currently up to date. EDW has grown significantly\nsince its Information Security Assurance (ISA) certification in June 2004. EDW is\ndesigned to store data from multiple Postal Service applications. As such, it is critical\nthat management complete the ISA and BIA process for each business area component\nthat feeds into EDW and provide the information to EDW managers. EDW managers\nshould also consider the business application ISA information in the updated BIA for\nEDW. Postal Service policy4 states that management must reinitiate the ISA a minimum\nof every 5 years following its initial application, or when a significant change occurs in\nthe operating environment, business requirements, or application. In addition, the\nEnterprise Information Repository lists EDW as needing recertification every 3 years,\nwhich means recertification was due June 24, 2007.\n\nManagement was not aware of the requirement to update the BIA for EDW. Therefore,\nEDW has not been recertified. In addition, EDW managers stated that the business\n2\n  The eAccess system has become an integral part of the day-to-day operations of the Postal Service. The system\nnot only monitors who obtains access to various Postal Service resources, but also automates the creation and\nmaintenance of user accounts. Its functionality provides efficiencies that allow for the elimination of PS Form 1357,\nand the associated manual effort necessary to approve and create user accounts.\n3\n  Handbook AS-805, Information Security, dated March 2002 (updated with Postal Bulletin revisions through\nNovember 23, 2006), Chapter 9, Information Security, Section 4.2.7: Revoking Access.\n4\n  Handbook AS-805-A, Application Information Security Assurance (ISA) Process, dated July 2003 (updated with\nPostal Bulletin revisions through September 29, 2005), Chapter 6, Re-Initiating the ISA, Section 6-2, When Re-ISA is\nRequired.\n\n\n\n                                                          2\n\x0cAccess Controls in the Enterprise Data Warehouse                                                    IS-AR-09-004\n\n\n\nareas that have applications located within EDW have not provided a current BIA for\ntheir applications. Our audit identified 45 sensitive applications that feed into EDW. As\nof January 2, 2009, nine5 of these systems had not completed a BIA. Consequently,\nEDW managers have reason to question the reliability of the information available to\nthem about which data elements are sensitive. As a result, unauthorized users may\nhave access to sensitive data, which could also create a risk to the integrity of the\nPostal Service brand.\n\nWe recommend the Vice President, Information Technology Operations, direct the\nManager, Business Data Management, to:\n\n3. Update the Business Impact Assessment for the Enterprise Data Warehouse and\n   recertify the system as required by Postal Service Handbook AS-805-A, Application\n   Information Security Assurance (ISA) Process.\n\nWe recommend the Vice President, Information Technology Operations, direct the\nManager, Corporate Information Technology Portfolios, to:\n\n4. Ensure all business areas that feed data into the Enterprise Data Warehouse\n   provide a current Business Impact Assessment for their applications to the\n   Enterprise Data Warehouse Program Manager, Information Technology; the\n   Business Impact Assessment should verify which data elements are sensitive and\n   need additional security measures.\n\nEDW Access Rights\n\nThe current process for assigning and managing access rights within EDW is very\ncomplicated and too time-consuming to manage effectively. This occurred because\nmanagement assigns rights to individuals, roles, and nested roles as a matter of\npractice. Our request for information on the detailed rights for 130 users returned over\n300,000 lines of data. Management would need to analyze each line of data to\ndetermine the detailed rights for these individuals, and whether the rights granted are\nappropriate.\n\nBest practices6 encourage access to computer applications and systems to be role\nbased, which means that management grants permissions to roles. Management\nmakes users members of roles, so the users acquire the permissions granted to the\nroles. Because managers do not assign user permissions exclusively to roles, they\nhave little knowledge about users\xe2\x80\x99 rights in EDW. Managers could also misinterpret\n\n5\n  Customer Advocate Management System, Vehicle Management and Accounting System, Supply Chain\nManagement, Accounting Data Mart, Complement Management and Selection, Safety and Health, Electronic\nMarketing Reporting System, Unique Customer Identification, and Employee Receivables.\n6\n  Planning Report 02-1, The Economic Impact of Role-Based Access Control, prepared by the Rochester Institute of\nTechnology for National Institute of Standards and Technology, Program Office Strategic Planning and Economic\nAnalysis Group, dated March 2002, Chapter 2, The Evolution of Role-Based Access Controls, Section 2.1.1, Users,\nRoles, and Permissions.\n\n\n                                                        3\n\x0cAccess Controls in the Enterprise Data Warehouse                              IS-AR-09-004\n\n\n\naccess rights for an individual and provide access to sensitive information to users who\ndo not need the information.\n\nWe recommend the Vice President, Information Technology Operations, direct the\nManager, Business Data Management, to:\n\n5. Assign access rights to roles instead of to individual and nested roles.\n\nManagement\xe2\x80\x99s Comments\n\nManagement agreed with all of the recommendations and stated that Business Data\nManagement will reevaluate the process for all contractors requesting access for EDW\nto ensure they do not have access rights after the contract period has expired. The\nscheduled completion date is July 30, 2009. Further, management will update and use\neAccess as the mechanism for approving access for non-standard users by April 17,\n2009. Business Data Management will also update the BIA and recertify the EDW as\nrequired by August 28, 2009. In addition, Corporate Information Technology will ensure\nthat current BIAs are in place for business areas that feed data into the EDW, and will\nalso verify which data elements are sensitive and require additional security measures\nby May 31, 2009. Finally, management agreed they need to assign access rights to\nroles instead of individuals. Management will reevaluate access rights and analyze\nnested roles to determine if they can improve the current process by July 30, 2009. See\nAppendix B for management\xe2\x80\x99s comments in their entirety.\n\nEvaluation of Management\xe2\x80\x99s Comments\n\nThe U.S. Postal Service Office of Inspector General (OIG) considers management\xe2\x80\x99s\ncomments responsive to the recommendations and corrective actions should resolve\nthe issues identified in the report.\n\nThe OIG considers recommendations 1, 2, 3, and 4 significant, and therefore requires\nOIG concurrence before closure. Consequently, the OIG requests written confirmation\nwhen corrective actions are completed. These recommendations should not be closed\nin the Postal Service\xe2\x80\x99s follow-up tracking system until the OIG provides written\nconfirmation that the recommendations can be closed.\n\n\n\n\n                                                   4\n\x0cAccess Controls in the Enterprise Data Warehouse                            IS-AR-09-004\n\n\n\n\nWe appreciate the cooperation and courtesies provided by your staff. If you have any\nquestions or need additional information, please contact Frances E. Cain, Acting\nDirector, Information Systems, or me at (703) 248-2100.\n\n   E-Signed by Tammy Whitcomb\n VERIFY authenticity with ApproveIt\n\n\n\n\nTammy L. Whitcomb\nDeputy Assistant Inspector General\n for Revenue and Systems\n\nAttachments\n\ncc: Ross Philo\n    Harold E. Stark\n    John T. Edgar\n    Greg G. Wallace\n    Jerry McClure\n    Katherine S. Banks\n\n\n\n\n                                                   5\n\x0cAccess Controls in the Enterprise Data Warehouse                                                  IS-AR-09-004\n\n\n\n                          APPENDIX A: ADDITIONAL INFORMATION\n\nBACKGROUND\n\nA data warehouse is a collection of data from many sources, stored in a single place for\nreporting and analysis. A data mart is a repository of data gathered from operational\ndata and other sources that is designed to serve a community of knowledge workers. In\ngeneral, a data warehouse tends to be a strategic, but somewhat unfinished, concept; a\ndata mart tends to be tactical and aimed at meeting an immediate need.\n\nThe Postal Service has traditionally stored data in older systems (called legacy\nsystems) that are by nature stove-piped, or self-contained; therefore, these systems are\ninaccessible for use with other data or by other business organizations. Because of\noverlapping needs, various systems often contain the same information, which may or\nmay not produce the same reporting results from system to system. The EDW is a\ncollection of data from many sources that is stored in a single place for reporting and\nanalysis. It provides a single repository for managing all of the Postal Service\xe2\x80\x99s data\nassets for a wide variety of users. The data can be divided in various ways within and\nacross functions for deeper analysis, which can lead to additional revenue, reduced\ncosts, and improved business practices. Several Postal Service organizations have\ndata in EDW, including, but not limited to, Retail, Supply Chain Management, Finance,\nNetwork Operations, and Facilities. The primary reporting tool is a web-based tool from\nMicroStrategy, Inc., which offers greater functionality than is possible with Postal\nService systems and reporting tools.\n\nOBJECTIVE, SCOPE, AND METHODOLOGY\n\nThe objective of this audit was to determine if access controls were adequate to prevent\ninappropriate access to sensitive information in the EDW. To accomplish our objective,\nwe reviewed documentation, policies, and procedures and interviewed key officials\nwithin the Business Data Management group in Raleigh, NC; Information Technology in\nEagan, MN; and Corporate Information Security in Washington, DC. In addition, we\nreviewed the Enterprise Information Repository to determine which applications feeding\ninto EDW were sensitive. We also obtained a list of current nonstandard users of EDW\nwho are contractors. We obtained and reviewed7 contractors\xe2\x80\x99 PS Forms 1357 to\ndetermine, based on the contract expiration date, whether the justification for access\nwas valid, and to identify contractors\xe2\x80\x99 rights and access they had within EDW. We\ncompared contractors\xe2\x80\x99 last login dates in EDW with contract expiration dates to\ndetermine whether contractors were still accessing information within EDW after their\ncontract expired. In addition, we contacted a selection of nonstandard users of EDW\nwhose employee status was missing from our data to determine whether they were\nPostal Service employees or contractors.\n\n\n7\n  We reviewed 107 of a total of 112 (96 percent) contractors who had nonstandard access to EDW. We were unable\nto locate five of these files.\n\n\n\n                                                       6\n\x0cAccess Controls in the Enterprise Data Warehouse                                 IS-AR-09-004\n\n\n\nWe worked with Postal Service officials to develop a switch user test, which meant\nfinding an existing script that a nonstandard user uses and editing it so a different user\ncould accomplish the same task. In addition, we interviewed Postal Service officials\nwho create and review scripting logs of the EDW, and we reviewed policy for scripting\nlogs. We also ran a test to query the EDW logs to verify that the required logs were\nbeing created. To verify the existence of two required logs deemed too sensitive to\ncreate views, we observed nonstandard users with administrative rights gaining direct\naccess to these logs.\n\nWe conducted this performance audit from June 2008 through February 2009 in\naccordance with generally accepted government auditing standards and included such\ntests of internal controls as we considered necessary under the circumstances. Those\nstandards require that we plan and perform the audit to obtain sufficient, appropriate\nevidence to provide a reasonable basis for our findings and conclusions based on our\naudit objective. We believe that the evidence obtained provides a reasonable basis for\nour findings and conclusions based on our audit objective. We discussed our\nobservations and conclusions with management officials on January 14, 2009, and\nincluded their comments where appropriate. We determined that the computer-\ngenerated data used to support our findings was sufficiently reliable for the purposes of\nthis audit. We validated this information by conducting interviews and reviewing\nhardcopy documentation (PS Forms 1357) that supported data extracted from EDW.\n\nPRIOR AUDIT COVERAGE\n\nIn our report titled, Update Processes for Active Directory and CA-ACF2 (Report\nNumber IS-AR-08-009, dated March 14, 2008), we recommended making\nimprovements to the approval process and tracking detailed employees in eAccess to\nhelp strengthen security controls. Management has implemented the planned eAccess\nenhancement that will ensure access reviews take place and has updated system\ndocumentation for eAccess. However, management has not yet determined how to\nintegrate managers\xe2\x80\x99 roles so the Human Capital Enterprise System can pass accurate\nand timely employment change data to eAccess or the system for tracking employees\nwho are on detail.\n\n\n\n\n                                                   7\n\x0cAccess Controls in the Enterprise Data Warehouse           IS-AR-09-004\n\n\n\n                       APPENDIX B: MANAGEMENT\xe2\x80\x99S COMMENTS\n\n\n\n\n                                                   8\n\x0cAccess Controls in the Enterprise Data Warehouse       IS-AR-09-004\n\n\n\n\n                                                   9\n\x0cAccess Controls in the Enterprise Data Warehouse        IS-AR-09-004\n\n\n\n\n                                                   10\n\x0c'